Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Authentication with Okta SSO and User Sync after a user was renamed in Okta
Prerequisites
- SAML SSO and a User Sync connector for Okta
- Jira, Confluence or Bitbucket (as User Sync is only available for these three currently)
Problem
Once a user is renamed in Okta, the NameID sent via SAML response still holds the old name.
That remains the case, until the Update Now button is pressed in the application for SSO on Okta (see screenshot below).
User Sync is also retrieving the new username without any problems, because it is using the Okta API.
Okta is planning to improve this in the future, until then it is rather inconvenient and can lead to a lot of manual effort and support tickets in large environments.
Solution
Adding an additonal attribute in Okta pulling the username will always contain the new username, without the need to push the above button.
With some reconfiguration in the SAML SSO app, renaming users won't cause problems.
Add the additional Okta attribute
- Navigate to your Okta application created earlier, when you setup SSO with Okta and Usersync as described here
- click on the general tab and the edit button in the SAML Settings section
- click Next on the first screen and proceed to the Configure SAML screen
- in the Attribute Statements (Optional) section, add an attribute with a name oktaUserName and map its value to user.login
- Name format can be left unspecified
- click on next and then finish to complete the changes
Adjust the SAML SSO configuration
- head over to the configuration page of the SAML SSO app in Jira, Confluence or Bitbucket and select your Okta IdP configuration
- make sure Basic settings/ Authentication Attribute is set to USERNAME
- scroll down to User ID Transformation and uncheck The IdP's NameID Attribute Matches the User IDs in Jira
- enter oktaUserName as User ID Attribute:
- scroll down to User Creation and Update and make sure that User Update Method is set to Update with UserSync-Connector
- if you setup Okta with User Sync according to our tutorial as described here this would be the case already
- if not, adjust the settings accordingly
- a bit further below in User Creation and Update from UserSync-Connector, make sure the UserSync-Connector is set to the Okta one
- enter oktaUserName as the Lookup Attribute again
- save the settings and conduct a test in an incognito browser window, after renaming one of your users already in Jira, Confluence or Bitbucket in Okta